Using "merge" to append a string literal to an array field?

this is probably a stupid question, but how can I append a literal string to an array in logstash?

i tried merge:

if [my_ip] and ([my_ip] == "127.0.0.1") {
  mutate {
    merge => { "[my_hostname]" => "loopback" }
  }
}

but the issue is that it's looking for a field called "loopback", so my_hostname ends up empty.

is there a way i can indicate the value is a literal rather than a field name?

i could probably do something like this:

event.set('my_hostname', event.get('my_hostname') + ['loopback'])

but I don't know if that will be worse performance?

Or i could add it to a temporary @metadata field and then merge that, but that seems like extra steps too.

Thanks!

mutate { gsub => { "myhostname", "$", "loopback" } }

Not quite what I meant, I think. I'm not wanting to append "loopback" to the string in myhostname. I want myhostname to be an array, and I am appending "loopback" to its list of values.

In other words, prior to this "myhostname" might contain two elements, "apple" and "banana". After this filter, I want myhostname to contain three elements, "apple", "banana", and "loopback"

Or does gsub also intepret "$" to mean "the end of the array" if the field is an array field?

Hm, I'm reading now that apparently calling add_field twice on the same field will turn it into an array, which would be simpler than using merge. I'll try that.

Yes, that works. Apparently calling "add_field" twice turns the value into an array.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.